sase edge

SASE Definition

 

 

SASE Definition

The following post highlights the rise of SASE and provides a good SASE definition. Firstly, the SASE meaning is down to the environment that we are in. In a cloud-centric world, users and devices require access to services everywhere. The focal point has changed. Now it is the identity of the user and device as opposed to the traditional model that focused solely on the data center with a bunch of network security components. These environmental changes have created a new landscape we must protect and connect.

Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks, enterprises are loaded with complexity and overhead. The legacy network and security designs increase latency. In addition, the world is encrypted when considering Zero Trust SASE. This needs to be inspected without degrading application performance.

 

For additional pre-information, you may find the following helpful for pre-information:

  1. SD-WAN SASE
  2. SASE Solution
  3. Security Automation

 



SASE Definition

Key SASE Meaning Discussion Points:


  • WAN transformation.

  • WAN challenges and how SASE solves them.

  • Challenge: Managing the network.

  • Challenge: Site connectivity.

  • Challenge: Site performance.

  • Challenge: Cloud agility.

  • Challenge: Security.

 

These are reasons to leverage a cloud-delivered secure access service edge (SASE). SASE meaning consists of a tailored network fabric: optimized where it makes the most sense for the user, device, and application – at geographically dispersed PoPs enabling technologies that secure your environment with technologies such as single packet authorization.

 

  • A key point: Video on SASE deployment.

In the following video, we are going to address SASE deployment. In particular, we will look at the Cisco version of SASE with Cisco Umbrella. We will look at a sample SASE design consisting of several PoPs geographically depressed, along with what each of these PoPs may look like. Keep in mind that SASE is not a one-box solution; everyone will have different networking and security requirements, and I will offer some guidance on starting a SASE project. I think the best place to start a SASE project is with SD-WAN. SD-WAN is mainstream now and has some great SD-WAN security features.

 

 

the rise of sase
Diagram: Cloud-native application security. The rise of SASE.

 

SASE Meaning

The rise of SASE and digital transformation

There has been a loss of confidence in the network. As a result, organizations uncover weaknesses in their networks when they roll out digital initiatives. This seems to be true for MPLS backbones and in some SD-WAN designs, where there is a lag in security, cloud connectivity, mobility, and site connectivity. Confidence in SD-WAN and MPLS has significantly decreased when confronted with the digital structure of network transformation. Intrinsically, SD-WAN is not an all-in-one-encompassing solution, whereas MPLS is rigid and fixed.

It is common to find that before adopting digital transformation, they were more confident in their networks than in post-digital transformations. Therefore, it is difficult to predict the impact of digital transformation on networks. Enterprises must ensure they have the proper infrastructure with the correct performance and security levels. Digital transformation is not just about replacing MPLS. Networking professionals must broaden their focus to encompass security, cloud, and mobility.

sase definition
Diagram: SASE definition. Driving digital transformation.

 

WAN Transformation: SASE Meaning

SASE Meaning

All these problems can be avoided by switching to SASE, a new enterprise networking technology category introduced by Gartner in 2019. SASE meaning is the convergence of security, cloud connectivity, mobility, and site connectivity: enabling the architecture to correlate disparate data points. It is an all-in-one encompassing solution that provides a ready-made solution for the WAN transformation journey. Gartner expects at least 40% of enterprises to have explicit strategies to adopt SASE by 2024.

Today, customers are looking for a WAN transformation solution that connects and secures all edges – sites, cloud resources, mobile users, and anything else that might emerge tomorrow. MPLS is not the right approach, and some SD-WAN deployments are causing question marks. So, a SASE definition, on the other hand, assists significantly in post-digital transformation. So, let us shine the torch on some of the digital transformation challenges likely to surface. These challenges include complexity with management and operations, site connectivity, performance between locations, inefficient security, and cloud agility.

 

SASE definition
Diagram: SASE: Combining network and security.

 

SASE Definition: Secure Access Service Edge (SASE)

The SASE definition combines network security functions (such as SWG, CASB, FWaaS, and Zero Trust Network Access (ZTNA) with SD-WAN to support organizations’ dynamic, secure access needs. These capabilities are delivered by XaaS primarily and are based on the entity’s identity, real-time context, and security/compliance policies. SASE changes the focal point to the identity of the user and device. With traditional network design, this was the on-premises data center. The traditional enterprise network and network security architectures place the internal data center as the focal point for access. These designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.

 

  • A key point: “Software-defined” secure access

SASE consolidates networking and security-as-a-service capabilities into a cloud-delivered secure access service edge. The cloud-delivered service provides you with policy-based “software-defined” secure access. The “software-defined” secure access consists of a worldwide fabric of points of presence (POPs) and peering relationships. With the PoP design, the general architecture is to move inspection engines to the sessions, not reroute the engines’ sessions as traditional designs do. This design is more aligned with today’s traffic patterns and application logic.

 

        • SASE offers a tailorable network fabric comprising the SASE PoPs geographically dispersed.

 

The architecture allows you to accurately specify every network session’s performance, reliability, security, and cost. This is based on identity and context. For practical, secure access, decisions must be centered on the entity’s identity at the source of the connection. And not a traditional construct such as the IP address or mere network location. The requesting entity can be the user, device, branch office, IoT device, edge computing location, and policy based on these parameters.

 

  • A key point: Security and Identity

With a SASE platform, when we create an object, such as a policy in the networking domain and is then available in other domains, such as security. So any policies assigned to users are tied to that user regardless of network location. This removes the complexity of managing network and security policies across multiple locations, users, and devices. Again, all of this can be done from one platform. Also, when examining security solutions, many buy individual appliances that focus on one job. To troubleshoot, you need to gather information, such as the logs from each device. A SIEM is valuable but can only be used in some organizations as a resource-heavy. For those that don’t have ample resources, the manual process is backbreaking, and there will be false positives.

 

sase security
Diagram: SASE security. The PoP architecture.

 

SASE Definition with Challenge 1: Managing the Network

If you look across the entire networking and security industry, everyone is selling individual point solutions that are not a holistic joined-up offering. Thinking only about MPLS replacement leads to incremental, point solution acquisitions when confronted by digital initiatives, making their networks more complex and costly. Principally, distributed appliances for both network and security at every location require additional tasks such as installation, ongoing management, regular updates, and refreshes. This results in far too many security and network configuration points. We see this all the time with NOC and SOC integration efforts.

 

Numerous integration points

The point-solution approach addresses one issue and requires a considerable amount of integration. Therefore, you must constantly add solutions to the stack, likely resulting in management overhead and increased complexity. Let’s say you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built one? In the same way, if we examine the network and security industry, the way it has been geared up presently is provided in parts. It’s your job to support, manage and build the stack over time, and scale the stacks when needed. Fundamentally, it would help if you were an expert in all the different parts. However, if you abstract the complexity into one platform, you don’t need to be an expert in everything. SASE is one of the effective ways to abstract management and operational complexity.

 

SASE Meaning: How SASE solves this

Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each. Essentially, with SASE, we can bring each point solution functionalities together and place them under one hood – the SASE cloud. SASE merges all of the networking and security capabilities into a single platform.

This way, you now have a holistic joined-up offering. Customers don’t need to perform upgrades, size, and scale their network. Instead, all of this is done for them in the SASE cloud that creates a fully-managed and self-healing architecture. Besides, the convergence is minimal if something goes wrong in one of the SASE Pops. All of this is automatic, and there is no need to set up new tunnels or have administrators step in to perform configurations.

 

sase definition
Diagram: SASE definition. No more point solutions.

 

SASE Definition with Challenge 2: Site Connectivity

SD-WAN appliances require other solutions for global connectivity and to connect, secure, and manage mobile users and cloud resources. As a result, many users are turning to Service Providers to handle the integration. The carrier-managed SD-WAN providers integrate a mix of SD-WAN and security devices to form SD-WAN services. Unfortunately, this often makes the Service Providers inflexible in accommodating new requests. The telco’s lack of agility and high bandwidth costs will continue to be a problem. The time taken to deploy new locations has been the biggest telco-related frustration, especially when connecting offices outside of the telco’s operating region to the company’s MPLS network. For this, they need to integrate with other telcos.

 

SASE Meaning: How SASE solves this

SASE handles all of the complexities of management. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.

 

SASE Definition with Challenge 3: Performance Between Locations

The throughput is primarily determined by latency and packet loss, not bandwidth. Therefore, for an optimal experience for global applications, we need to explore ways to manage the latency and packet loss end-to-end for last-mile and middle-mile segments. Most SD-WAN vendors don’t control these segments, affecting application performance and service agility. Consequently, there will be constant tweaking at the remote ends to attain the best performance for your application. With SD-WAN, we can bundle transports and perform link bonding to solve the last mile. However, this does not create any benefits for the middle mile bandwidth. MPLS will help you overcome the middle-mile problems, but you will likely pay a high price.

 

Define SASE
Diagram: Define SASE. Link Bonding is only suitable for last-mile performance.

 

SASE Meaning: How SASE solves this

The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP. This way, the sites are placed on the global private backbone to take advantage of global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption. The traffic can also be routed over MPLS, directly between sites (not through the SASE PoP), and from IPsec tunnels to third-party devices. The SASE architecture optimizes the last and middle-mile traffic flows.

 

Optimization techniques

The SASE global backbone has several techniques that improve the network performance, resulting in predictable, consistent latency and packet loss. The SASE cloud has complete control of each PoP and can employ optimizations. It uses proprietary routing algorithms that factor in latency, packet loss, and jitter. These routing algorithms favor performance over cost and select the optimal route for every network packet. This is compared to Internet routing, where metrics don’t consider what is best for the application or the application type.

 

SASE Definition with Challenge 4: Cloud Agility

Cloud applications are becoming the most critical to organizations, even more severe than those hosted in their private data centers. When delivering cloud resources, we need to consider more than just providing connectivity. In the past, when we spoke about agility, we were concerned only with the addition of new on-premises sites. However, now this conversation needs to encompass the cloud. Primarily, delivering cloud applications is about providing an application experience that is as responsive as the on-premises applications. However, most SD-WANs have a low response rate for rapidly delivering new public cloud infrastructure. MPLS is expensive, rigid, and not built for cloud access.

 

 

SASE Meaning: How SASE solves this

Cloud Native Meaning

SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions enabling built-in cloud connectivity. This further enables the rapid delivery of new public cloud infrastructure. The SASE PoPs are collocated in the data centers, directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. In addition, cloud applications are optimized through SASE’s ability to define the egress points. This helps exit the cloud application traffic at the points closest to the customer’s application instance.

The optimal global routing algorithms can determine the best path from anywhere to the customer’s cloud application instance. This provides optimal performance to the cloud applications regardless of the user’s location. So when we talk about performance to the cloud with SASE, the latency to the cloud is comparable to the optimized access provided by the cloud providers, such as AWS Direct Connect or Azure Express Route. So authentically, SASE provides out-of-the-box cloud performance.

 

SASE Definition with Challenge 5: Security

The security landscape is constantly evolving. Therefore, network security solutions must evolve to form a well-founded landscape. Ransomware and Malware will continue to be the primary security concerns from 2020 onward. This is a challenge for the entire organization to combat the various solutions designed with complex integration points scattered through the network domain. Security must be a part of any WAN transformation initiative protecting the users and resources regardless of the underlying network managed through a single-pane-of-glass.

However, a bundle of non-integrated security products results in appliance sprawl that hinders your security posture instead of strengthening it. The security solution must defend against emerging threats like malware/ransomware. In addition, it must boost the ability to enforce corporate security policies on mobile users. Finally, the security solution must also address the increasing cost of buying and managing security appliances and software.

 

sase edge
Diagram: SASE Edge: The issues of service chaining.

 

  • A key point: Security and encryption

So we know there is an increase in complexity due to the disparate tools required to address the different threat vectors. So, for example, we have DLP that can be spread across the SWG, CASB, and DLP but with three different teams managing each. What about the impact of encrypted web traffic on the security infrastructure? The issue is that most internet traffic is now encrypted, and attackers deliver the payloads, deliver command and control instructions, and exfiltrate data over encrypted protocols. Organizations cannot decrypt all network traffic for performance reasons and avoid looking at sensitive employee information. Also, the issues with the scalability of encrypted traffic management solutions. This can, too, cause performance issues.

 

  • A key point: MPLS and SD-WAN

MPLS does not protect the resources and users, certainly not those connected to the Internet. On the other hand, SD-WAN service offerings are not all created equal since many do not include firewall/security features for threat protection to protect all edges – mobile devices, sites, and cloud resources. This lack of integrated security complicates SD-WAN deployments. Also, this often leads to Malware getting passed the perimeter unnoticed.

 

  • A key point: The cost involved

Security solutions are expensive, and there is never a fixed price. Some security vendors may charge on the usage models for which you don’t yet have the quantity. This makes the process of planning extremely problematic and complex. As the costs keep increasing, we often find that security professionals would trade off point-security solutions due to the associated costs. This is not an effective risk-management strategy. The security controls are also limited to mobile VPN solutions. More often than not, they are very coarse, forcing IT to open access to all the network resources. Protecting mobile users requires additional security tools, such as next-generation firewalls (NGFWs). So again, we have another point solution. In addition, mobile VPN solutions provide no last- or middle-mile optimization.

 

SASE Meaning: How SASE solves this

SASE converges a complete security stack into the network, allowing SASE to bring granular control to sites and mobile and cloud resources. This is done by enforcing the zero-trust principles for all edges. SASE provides the capability of anti-malware protection for both WAN and Internet traffic. In addition, for malware detection and prevention, SASE can offer signature and machine-based learning protection consisting of several integrated anti-malware engines.

For malware communication, SASE can stop the outbound traffic to C&C servers based on reputation feeds and network behavioral analysis. Mobile user traffic is fully protected by SASE’s advanced security services, including NGFW, secure web gateway (SWG), threat prevention, and managed threat detection and response. Furthermore, in the case of mobile, SASE mobile users can dynamically connect to the closest SASE PoP regardless of the location. Furthermore, as discussed previously, all relevant optimizations performed by the SASE cloud are available for mobile users.

 

    • Rethink the WAN

The shift to the cloud, edge computing, and mobility offer new opportunities for IT professionals. To support these digital initiatives, the network professionals must rethink their approach to the WAN transformation. WAN transformation is not just about replacing MPLS with SD-WAN. It needs an all-encompassing solution that provides the proper network performance and security level for enhanced site-to-site connectivity, security, mobile, and cloud.

 

network security solution
Diagram: SASE, a network security solution.

 

SASE Meaning: SASE wraps up

SASE is a network and security architecture consolidating numerous network and security functions, traditionally delivered as siloed point solutions, into an integrated cloud service. It does this by combining several network and security capabilities along with cloud-native security functions. The functions are delivered from the cloud and provided by the SASE vendor. They are essentially providing a consolidated, platform-based approach to security. We have a cloud-delivered solution consolidating multiple edge network security controls and network services into a unified solution with centralized management and distributed enforcement.

 

The appliance-based perimeter

Even Though there has been a shift to the cloud, the traditional perimeter network security solution has remained appliance-based. The shift for moving security controls to the cloud is for better protection and performance, plus ease of deployment and maintenance. The initial performance of the earlier cloud-delivered solutions has been overcome, and this was overcome with the introduction of optimized routing and global footprint. Although, there is a split in opinion about performance and protection. Many consider protection and performance to be prime reasons to remain on-premises and keep the network security solutions on-premises.

 




Key SASE Definition Summary Points:

Main Checklist Points To Consider

  • The rise of SASE and the causes of digital transformation.

  • Technical details on the issues of MPLS with the lack of agility. 

  • Technical details on the SASE PoP and the converging of networking and security to a SaaS solution.

  • Discuss the numerous challenges of managing the network and how SASE solves this.

  • A final note on the appliance-based perimeter.

 

 

Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)

Comments are closed.